Vice-President of the European Commission responsible for the Digital Agenda

Cyber-security – a shared responsibility

Information Security Forum Conference, Chicago

4th November 2012

Every day, people worldwide rely on digital technologies and on the Internet for any kind of activity. Spanning from communication to healthcare and banking. Business in virtually all sectors and governments also rely on digital networks and infrastructure to provide their essential services.

However, growing cyber-security threats and higher vulnerability of networks and systems may hinder the benefits brought about by the Internet.

Incidents (also linked to human mistakes) and attacks are clearly on the rise. The number of web-based attacks went up 36% in the year 2011.

And the majority of respondents to the public consultation on cyber-security, that we recently run in the EU, affirmed to have experienced in the past year an incident with a significant impact on their activities.

If we want to preserve and promote the benefits of the digital world, we must put cyber security on the top of the agenda.

Cyber-security is a shared responsibility of public and private players and our policies strive to address this.

I believe however that we need to do more.

Networks and infrastructure are mainly privately owned and run.

However, the private sector clearly lacks adequate incentives to invest in security and to be transparent regarding the threats faced and the incidents occurred.

For example, according to Eurostat, by January 2012 only 26% of enterprises in the EU had a formally defined ICT security policy with a plan for regular review.

This share rose to over 50 % among those enterprises whose principal activity was ICT. This is however not enough.

Also, a very large majority of the respondents to our public consultation said that users are not sufficiently aware of the threat landscape.

I understand that companies do not share information due to fear of reputational damages or liability.

But the lack of information sharing slows down the capability to react.

In particular when an incident has repercussions outside the organisation and the other parties affected are unaware of an imminent threat or an incident that has already taken place.

Here is where the public sector comes into play.

Governments can not only provide the right incentives but also lead by example by strengthening their preparedness.

The European Strategy for Cyber-Security, which I plan to present with Commissioner Malmström and High Representative Ashton, would provide a comprehensive vision on cyber-security and would address both the EU and the international dimension.

The Strategy will focus on the need to improve the overall resilience of network and information systems, by stimulating the competitiveness of the European ICT industry as well as user demand for security functionalities in ICT products and services.

Those initiatives will be complemented by actions stepping up the fight against cybercrime. And by initiatives aiming at developing an external EU cyber security policy.

In the context of the Strategy, I also plan to present a legislative proposal setting up a high level of network and information security across the EU, with a view to ensuring the smooth functioning of the internal market.

First, I plan to require the Member States to be appropriately equipped and to cooperate among themselves.

We need to have no weak links across the EU.

Secondly, I am considering extending to new sectors (enablers of key Internet services, banking, energy, transport, health, public administrations) the obligations to adopt risk management measures and to report significant incidents to competent authorities that currently apply in the telecom sector in the EU.

These days, more and more sectors interact with, and critically depend on, ICT: there's an urgent case for creating a level playing field.

And indeed, almost all respondents to our public consultation indicated that there should be network and information security requirements in sectors like banking, energy, healthcare, Internet services and public administrations.

This legislation will overall help Europe get its own house in order and become and even more trusted partner at the international level.

International cooperation on cyber-security is one of my key priorities.

We work both bilaterally with key partners, including the US and Japan, and in multilateral fora, such as OECD, OSCE, UN, ITU.

Overall, it is for me of the utmost importance that in all activities we conduct internationally we strive to promote EU core values and fundamental rights, including freedom of expression and access to information as well as data protection and privacy.

The Strategy will address these aspects and take them forward.

Cyber-security should be recognised as a top political priority.

Here in the US it has long obtained political attention. It is time we do the same in Europe and worldwide.